06 September 2021
A number of high-profile UK organisations, including government and police force, are vulnerable to a troubling flaw in Microsoft's email service, according to a security expert.
A security flaw – described as "as serious as they come" – in Microsoft's Exchange email systems has been identified in the government's and police forces' computer systems. The vulnerabilities were revealed during a computer security conference earlier this month, with hackers leaping at the opportunity to exploit the flaw to cause major problems.
Microsoft has released a patch that fixes the vulnerability, however, more than 50% of Microsoft Exchange servers in the UK have not been updated, security researchers have revealed. As such, huge swathes of email users are still vulnerable to hackers.
Among those still open to attack are a number of the British Government's gov.uk domain as well as the police.uk domain used by forces across England, Wales, and Northern Ireland, Sky News revealed.
While it is possible to blame these organisations for dragging their heels with the latest security patches, Kevin Beaumont, a security researcher who has worked for Microsoft in the past, believes some of the responsibility falls at the feet of the company behind the software. Beaumont accused Microsoft of what he described as "knowingly awful" messaging to get customers to update their software.
"Given many organisations vulnerability manage via CVE, it created a situation where Microsoft's customers were misinformed about the severity of one of the most critical enterprise security bugs of the year," Beaumont wrote.
Responding to the criticisms, a spokesperson for Microsoft said: "We released security updates to help keep our customers safe and protected against this attack technique. We recommend that customers adopt a strategy to ensure they are running supported versions of software and promptly install security updates as soon as possible after each monthly security release."